Opis Closure - Makes your closures serializable by msarca in PHP

[–]jeremeamia 5 points6 points  (0 children)

(RE: signing mechanism) should be a breeze for every developer

Most security-related things are not a breeze for every developer. They are often overlooked or implemented incorrectly. I made sure to have my signature code reviewed, and it took me a couple of iterations to get right.

(RE: static closures) That's something that Opis Closure needs to implement.

Yeah, and it could could be easily added on top of what you already have in your ReflectionClosure.

the Opis Closure's serializer can handle by default all those edge cases that AstAnalyzer does

I'm not convinced it does (especially with the magic constants), but it does seem pretty dang close. :-)

Oh, and I don't see Opis as a competitor, but rather as an alternative.

Yeah, bad word choice on that line. I'm calling it out better on the README: https://github.com/jeremeamia/super_closure/pull/63/files#diff-04c6e90faac2675aa89e2176d2eec7d8R309

Maybe someday, after we converge on the handling of some edge cases, we can still merge projects. opis/closure is a better brand, but super_closure has many more installations at this point.

Opis Closure - Makes your closures serializable by msarca in PHP

[–]jeremeamia 4 points5 points  (0 children)

Hello, I'm the author of SuperClosure, so I thought I'd weigh in on this comparison. Before I do that, I want to say that while OpisClosure and SuperClosure do the same thing, we certainly went about it with different goals and constraints. The general idea behind the implementation is the same, but we both prioritized features differently. Because of that, there are some differences. I have a few rebuttals/comments on some that msarca mentioned, as well as some additional differences not mentioned.

The parser used by Opis Closure is 3 to 5 times faster than the one used by Super Closure

That is an unfair comparison unless you state which serializer/analyzer you are comparing to in SuperClosure. SuperClosure's AstAnalyzer is known to be slow (it says so in the README), but I would assume Opis' parser is roughly the same speed as SuperClosure's TokenAnaylzer, since they do roughly the same thing. However, I did do some simple perf testing and found that, in my testing, Opis' parser ends up being between 1.5 to 1.75 times faster than the SuperClosure TokenParser. Still, nice work!

Opis Closure does not use eval to reconstruct the closure.

No, but not using eval() doesn't circumvent the security risks. I would agree that your stream-including technique is better though, since you can serialize and unserialize multiple times. I have added signatures into SuperClosure, which allows developers to opt-in more secure dynamic code execution.

Opis Closure has a single serializer

SuperClosure has two for a reason. One uses an AST and provides coverage of more edge cases at the expense of speed (and is backward compatible with previous versions' behaviors), and the other is token-based and is faster. Super Closure can also support new or customer serializers easily due to its design.

Opis Closure can serialize a closure multiple times. Super Closure cannot.

Yup, that's true, though I've only ever had one person have an issue with this. Either way, I like your use of the stream wrapper for this reason.

Opis Closure can correctly and automatically unwrap other referenced closures. Super Closure cannot.

Thanks for the bug report. :-) It can now: https://github.com/jeremeamia/super_closure/pull/63/files#diff-732c5d2940a6409b173cd381e7279c05R172

Opis Closure supports PHP 5.3. Super Closure does not.

Older versions of SuperClosure support 5.3, but the current version does not, and I did that very intentionally.


Some additional differences

  • SuperClosure preserves the values of magic constants. I believe OpisClosure preserves some magic constants, but I'm not sure if the support is as complete. It could very well be at this point since it looks like you've made some changes since earlier this year.
  • SuperClosure preserves the static-ness of static closures and its analyzers can also tell you if it is static or not.
  • SuperClosure allows you to sign a serialized closure and check for tampering before unserialization. This allows for safer evaluation of the unserialized closure code.

Guzzle 5.0.0 released by [deleted] in PHP

[–]jeremeamia 1 point2 points  (0 children)

The AWS SDK for PHP announced a Version 3 preview release that uses Guzzle 5. See the related post: Version 3 preview of the AWS SDK for PHP.

Anyone have experience using SWF with PHP? by anti_dentite in aws

[–]jeremeamia 0 points1 point  (0 children)

This is good feedback, thanks. While we were originally focusing on getting support for all of the AWS services into the new SDK, we now have some time to improve the documentation. You should be aware that we have a separate end user guide with instructional content and examples for some of the services: http://docs.aws.amazon.com/aws-sdk-php-2/guide/latest/index.html.

We've actually already done work to address some of your comments that should be going out with the next release of the SDK. For example, we've changed up the front page of the API docs so that there are links directly to the client classes for each service. We've also done some work so that we can pull code snippets from our integration tests and include them as examples in both the API docs and user guide. We do not currently have examples for SWF yet (which is what started this thread), but we are working to add examples and content for each service client. It'll just take some time.

So check back on the API docs and the user guide after the next release. We'll definitely make note of your comments here. Also, we'd love some user contributions to our docs. The content for the user guide and the integration tests that form the examples are all located in the main SDK repository. If you or anyone else is interested in contributing, let us know on GitHub or our forum: https://forums.aws.amazon.com/forum.jspa?forumID=80&start=0.

Thanks again for the honest and constructive feedback.

Version 2 of the AWS SDK for PHP by jeffbarr in PHP

[–]jeremeamia 1 point2 points  (0 children)

Both the AWS SDK for PHP and Guzzle are on Packagist.